ope 


e Ls 
IaD: 
(d 


IAB Europe's comments on the European Data Protection Board's 
"Guidelines 2/2019 on the processing of personal data under Article 
6(1)(b) GDPR in the context of the provision of online services to data 
subjects” 


IAB Europe (Transparency Register: 43167137250-27) represents 25 European national associations 
who in turn represent over 5,000 companies from across the online advertising ecosystem, from 
advertisers and media agencies to ad tech intermediaries, publishers and eCommerce companies. 
We have 70 companies in direct membership, including agencies, ad tech intermediaries, publishers 
and eCommerce companies. 


We have reviewed the European Data Protection Board’s (hereinafter ‘EDPB’) “Guidelines 2/2019 on 
the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online 
services to data subjects” (hereinafter ‘the Guidelines’), which have been circulated for consultation 
until 24 May. We are grateful for the opportunity to provide comments on the Guidelines. 


Preliminary remarks 


Article 6 of the GDPR offers six legal grounds for processing personal data. At least one legal ground 
must apply to justify processing under EU law. All legal grounds are equal and no single legal ground 
enjoys an elevated status. Acompany’s choice of the most appropriate legal basis for the processing 
of personal data should be subject to a context-specific assessment, taking into account all relevant 
provisions found in the GDPR and other laws. 


The Guidelines construe the applicability of Article 6(1)(b) so narrowly as to virtually exclude the 
processing of personal data in connection with the delivery of digital advertising, whether that 
advertising is targeted based on user behaviour or not. They draw more heavily on previous WP29 
Opinions than on the letter of the law, and are in places internally contradictory (e.g. in the case of 
data processing for the personalisation of advertising, which must meet the standard of being 
“essential”, whereas data processing for content personalisation need only meet the standard of 
“expected”). They omit to provide guidance on critical elements such as why the concepts of 
contract and consent are inherently different, and why content personalisation for the purpose of 
increasing user engagement would not be possible on the basis of Article 6(1)(b), whereas content 
personalisation for other purposes would. 


The Guidelines appear to constitute a further erosion of a central proposition of the GDPR pursuant 
to which if users have transparency about, and control over, how their personal data are processed, 
and data controllers are bound to adhere to principles such as data minimisation, purpose 
limitation, and privacy by design and default, personal data may be processed, including in relation 
to the delivery of digital advertising. The erosion of that proposition at a time when the GDPR has 
only been enforced for one year diminishes the investment companies have made in legal 
compliance and may foreclose consumers’ ability to benefit from technical, scientific, 
entertainment and business services that exist because they can be wholly or partly funded by 
advertising. 
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We hope that following the public consultation period, the EDPB will reflect some of our concerns in 
its final text. We would be pleased to have the opportunity to discuss these observations with the 
EDPB at an appropriate time. 


This submission addresses the following sections of the Guidelines: 


= Part1- Introduction 
o Section 1.1, Background 
= Part2 -Analysis of Article 6(1)(b) 
o Section 2.2, Interaction of Article 6(1)(b) with other lawful bases for processing 
o Sections 2.4 and 2.5 on Necessity and Necessary for performance of a contract with the 
data subject 
= Part 3 -Applicability of Article 6(1)(b) in specific situations 
o Section 3.1, Processing for service improvement 
o Section 3.2, Processing for fraud prevention 
o Section 3.3, Processing for online behavioural advertising 
o Section 3.4, Processing for personalisation of content 


It concludes with some general observations that are relevant for the entire text of the Guidelines. 


Part 1 - Introduction - Section 1.1, Background 


The Guidelines state: “Tracking of user behavior for the purposes of such advertising is often carried 
out in ways the user may not be aware of, and it may not be immediately obvious from the nature of 
the service provided, which makes it almost impossible in practice for the data subject to exercise 
any control over the user of their data” (paragraph 4). 


As the EDPB will be aware, tracking of consumers without their knowledge and without providing 
them control of their data is a violation of the GDPR. This sentence in the Guidelines suggests that 
the situation it describes - where users are tracked without their knowledge and without being able 
to do anything about it - is something that the current EU regulatory and legislative landscape 
somehow permits, and that the Guidelines on the processing of personal data under Article 6(1)(b) 
are intended to address. This is clearly not the case. Such tracking would be a breach of a number 
of provisions of the GDPR. We would suggest either that the sentence be deleted, or that it be 
modified as below: 


Tracking of user behavior for the purposes of such advertising is-eften-carried-outinweaysthe 
usermeaynetbewithout the user being aware of the tracking and able to exercise control 


over it (e.g. by tei consent, ascend it, or ee a a to object, is 


Part 2 - Analysis of Article 6(1)(b) 


Section 2.2, Interaction of Article 6(1)(b) with other lawful bases for processing 


Contract v consent 
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This section contains the statement at paragraph 20 that the concepts of contract and consent “are 
not the same and have different implications for data subjects’ rights and expectations”. The text 
notes that it is “important to distinguish between entering into a contract and giving consent within 
the meaning of Article 6(1)(a)” and warns of the risk that data subjects will “erroneously get the 
impression that they are giving their consent in line with Article 6(1)(a) when signing a contract or 
accepting terms of service” (para. 20). However, there is no explanation offered of how the two 
concepts - which intuitively seem indeed to be very similar - are materially different. It would have 
been a welcome development if the EDPB had taken the opportunity of these Guidelines to shed 
some light on this important question. 


Explicit consent as an alternative to contract 


In several places throughout the Guidelines, as discussed in more detail below, Article 6(1)(b) is held 
not to be an appropriate lawful basis for data processing that is not “objectively necessary” to 
deliver the service. The finding that itis not appropriate is often based on argumentation that seems 
equally applicable to the consent legal basis, yet the potential availability of other legal bases, 
including consent or even legitimate interests, is nonetheless evoked. It is hard to know what to make 
of these references to either consent or legitimate interests as potential alternatives to contract - 
that is, whether they are intended sincerely, and if so, why’. Section 2.2, paragraph 21 on exceptions 
to the general prohibition on processing sensitive personal data seems to suggest a possible 
explanation for the apparent contradiction. This explanation is that the EDPB considers explicit 
consent to be a potential alternative to contract for the processing of data that is not “objectively 
necessary” (in the sense of strict, technical necessity) to deliver an online service but is considered 
by the controller to be necessary (e.g. because it enables him to finance the creation of his service). 
It would be helpful if the EDPB could clarify whether this reading is correct. 


Sections 2.4 & 2.5, Necessity and Necessary for performance of a contract with the data subject 
= Assimilation of “necessary” to “essential” or “indispensable” 


The Guidelines construe the concept of “necessity” so narrowly - and in a way that in our view is at 
variance with what the legislator intended in the relevant legal Articles and recitals - that not only 
would personalised advertising be out of scope of Article 6(1)(b), but even processing for the delivery 
and measurement of contextual advertising would likely require some other legal basis. Thus, 
necessity is assimilated to indispensability. For example, if the requested service can be provided 
without the specific processing taking place (even if the consequence was a more expensive or 
functionally inferior experience for the user?), the EDPB considers Article 6(1)(b) not to be an 
appropriate legal basis (see paragraphs 17 and 19). If there are “realistic, less intrusive alternatives, 
the processing is not necessary” (paragraph 25). Article 6(1)(b) “will not cover processing which is 
useful but not objectively necessary for performing the contractual service”. Similarly, per 
paragraph 30, the data controller must be able to demonstrate that the “main object of the specific 
contract... cannot, as a matter of fact, be performed if the specific processing of the personal data 
does not occur”. Ina further extension that finds no basis in the wording of the GDPR, the Guidelines 


1 Put another way, the Guidelines seem to suggest that contract is an available legal basis - perhaps even the 
sole appropriate legal basis - for processing that is necessary to deliver the service, whereas if the processing 
does not meet the necessity test, then consent is preferable. Yet, Article 7(4) clearly contemplated consent as a 
potential legal basis for processing that is necessary to deliver an online service. Importantly, the recent 
Opinion of Advocate General Szpunar in Case C-673/17 Planet49 GmbH can certainly be read as giving service 
providers a measure of discretion in determining what is necessary and what not. 
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refer to necessity as requiring that the data processing be “for a purpose that is integral to the 
delivery of [the] contractual service to the data subject” (emphasis added) (paragraph 30). 


= Is it necessary to pay staff and keep the lights on in order to deliver an online service? 


The Guidelines artificially separate the technical delivery of a service from how it is funded, removing 
considerations relating to the latter from the assessment of necessity in a way that no functioning 
business would actually be able to (see e.g. paragraphs 25 and 36). Thus, data processing that is 
merely “necessary for the controller’s wider business model” would not meet the standard for 
necessity (paragraph 36). Data processing to enable an advertising revenue stream (whether 
behavioural or not) falls outside the enforcers’ notion of necessity, though it may be seen as 
primordial in the service supplier’s understanding of the same concept. Imagine a website trying to 
match stray dogs and cats with owners seeking new pets. Putative new owners need to provide 
personal data, including names, addresses, and proof that they are able to take care of a new animal. 
The site uses Article 6(1)(b) to process data relating to user registration, and wishes to use the same 
legal basis to process personal data to deliver advertising by local pet supply stores. In theory, data 
processing to enable the advertising would be considered by the EDPB to be “unnecessary”, since it 
relates to how the site is funded and since in theory and with unlimited resources, the site could 
presumably deliver its matching service without advertising. But in reality, without the possibility 
of an additional revenue stream from advertising, the service might not be able to function. 


= Suppliers of online services are specifically excluded from deciding what is necessary 


Importantly, the Guidelines explicitly take the job of defining what constitutes “necessary” 
processing out of the hands of the online service suppliers. Thus, paragraph 27 notes that the 
“person who creates and offers the service may not decide what is necessary and impose that”. The 
Guidelines reaffirm the view taken in the WP29’s 2014 Opinion on the legitimate interests of the data 
subject that processing that is “unilaterally imposed on the data subject by the controller” may not 
be “genuinely necessary” for the performance of a contract merely because it is processing that the 
controller considers to be necessary (see citation of WP29 Opinion on page 8 of the Guidelines, at 
paragraph 28). Whereas freedom of contracts gives a private party the right to make a legally binding 
agreement without any external interference as to what type of obligations they can take upon 
themselves. Specifically, in the online context, many suppliers of online media and other sites would 
challenge the idea that they can impose terms on potential readers or other customers, who with 
rare exceptions can simply go elsewhere to obtain an equivalent service if they find the conditions 
for accessing a given site to be unfavourable to them. 


= Overburdening the notion of necessity to achieve policy ends 


Necessity becomes a compound notion in the Guidelines, integrating not only whether the data 
processing is needed in order to render the service but whether it is the least intrusive means of 
doing so. The assignment in the guidance of this special, compound meaning to the notion of 
“necessity” offends against the principle of law pursuant to which words should not be arbitrarily 
assigned a meaning within legislation that is significantly different from their normal meaning in 
everyday discourse. There is nothing wrong with data controllers being required to conduct their 
activities in the manner that is least privacy-intrusive possible. But that requirement is laid down 
elsewhere in the Regulation. It should not be arbitrarily integrated into the notion of “necessity” for 
the purposes of Article 6(1)(b). 


= Potential impact of the proposed way forward 
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The narrow construction of necessity detailed above would directly and negatively impact data- 
driven online advertising and the media and other online services it currently enables. Private 
actors, including the digital media, should be able to process data for advertising purposes that are 
not strictly technically necessary for provision of the service but are necessary for the monetisation 
model chosen by that service, as long as long as the processing is demonstrably lawful under the EU 
law. The rationale behind ad-supported services is that they are offered in a value exchange. Without 
the ability to benefit from that value exchange, they could not be financed and consequently would 
not be offered. From the service provider’s point of view, the service and its monetisation model are 
inextricably linked and cannot be treated as separate. 


Part 3 - Applicability of Article 6(1)(b) in specific situations 
Section 3.1, Processing for service improvement 


The Guidelines provide that service improvement for correction of bugs, errors, fixes and minor 
improvements should not fall within Article 6(1)(b). The processing carried out for these purposes 
identify operational issues and correct them (debugging), as well as facilitate ad measurement (e.g. 
measuring whether an ad is serving in a suitable editorial environment (brand-safe) context). Both 
are relevant from the perspective of the user consuming the content. Improvements made upon 
collecting intelligence of this type need not adversely impact user’s privacy. Adjustments to the 
service delivery can be deduced from analytics undertaken on users and their engagement with the 
product. 


Flexibility to justify data processing in related situations is critical, while the choice of the legal basis 
available for a business should come upon them carrying out a data protection impact assessment. 
It is vital that the Guidelines do not foreclose permissibility of relying on Article 6(1)(b) in such 
instances. 


Section 3.2, Processing for fraud prevention 


The Guidelines state that processing for fraud prevention is likely to go beyond what is objectively 
necessary for the performance of a contract with a data subject. However, the media must be in a 
position to verify the genuine engagement with advertising and content, to deliver the service as 
agreed. A bot used to fraudulently mislead businesses on engagement will lead to a dilution of the 
value of content or advertising. It will more broadly undermine the organisation’s business. Whereas 
the data facilitates effective fraud and spam prevention, including verifying that ads are not seen or 
clicked on by bots or other malicious actors. 


Flexibility to justify data processing in related situations is critical, while the choice of the legal basis 
available for a business should come upon them carrying out a data protection impact assessment. 
It is vital that the Guidelines do not foreclose permissibility of relying on Article 6(1)(b) in such 
instances. 


Section 3.3, Processing for online behavioural advertising 
The Guidelines contain the unsupported assertion that “[a]s a general rule, behavioural advertising 


does not constitute a necessary element of online services” (see paragraph 49) though the provider 
of a website that derives critical revenue from an advertising stream (while providing full 
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transparency and control to users about the related data processing) might well consider the need 
to pay its staff and overhead costs to be not only necessary but essential. Similarly, Article 6(1)(b) 
“cannot provide a lawful basis for online behavioural advertising simply because such advertising 
indirectly [emphasis added] funds the provision of a service” (no explanation is provided of the 
difference between directly funding and indirectly funding - surely from the point of view of the 
supplier, revenue that enables content to be created and staff to be paid is simply revenue). Because 
processing for OBA “is separate from the objective purpose of the contract between the user and the 
service provider”, it is “not necessary for the performance of the contract at issue” (paragraph 50). 
The argument of its being separate from the purpose of the contract has no origin in the language of 
the Regulation; moreover, the assertion begs the question of who would decide whether and to what 
degree the funding of a service is separate from its delivery. Indeed, under the freedom of contract 
and principle of party autonomy it is the parties to a contract that determine its contents, and 
therefore, what is necessary. 


The ensuing paragraph notes that data protection is a fundamental right. It goes on to assert that 
“personal data cannot be considered as a tradeable commodity”. Whereas “data subjects can agree 
to the processing of their personal data”, they “cannot trade away their fundamental rights”. It is 
difficult to understand what this statement means. Does it mean that the consent lawful basis may 
be appropriate for OBA but not Article 6(1)(b)? Arguably it is not the data themselves that are the 
currency in the paradigm that is referenced, but rather the possibility of using data to deliver more 
relevant advertising and measurement, linked to which is the user’s willingness to receive 
advertising based on those data. Yet, the GDPR is precisely about creating a safe space for users to 
elect to have their data process in exchange for valuable services. These passages in the Guidelines 
undercut the possibility for users to make choices - something that will penalise citizens seeking 
information and other online content and services on terms that align to their economic 
possibilities. 


The real-life potential negative effects of such an approach are not hard to guess. As evidenced 
recently in a report by Guillaume Klossa, special adviser to European Commission Vice-President 
Andrus Ansip, the media sector is principally reliant on advertising as one of the three major revenue 
sources, alongside consumer payments (transaction and subscription) and public funding’. Press 
sustainability would be seriously impaired without advertising revenue. Moreover, it can be 
demonstrated that behavioural targeting data generates significant revenue uplifts in comparison 
with run-of-network advertising, which buys clicks or impressions without reference to behavioural 
data”. This in turn allows media companies to build more sustainable digital business models. 


It is worth stressing that data processing is critical even for showing basic ads and contextual 
advertising, which also can be used to directly fund the service. This is possible with, for instance, 
usage of real-time information about the context in which the ad will be shown, including 
information about the content and the device (device type and capabilities, user agent, URL, IP 
address) with respect to basic ads, as well as collected information about content that the user had 
seen with respect to contextual advertising. In addition, any modern online advertising relies on ad 
measurement to understand whether an ad has been successfully displayed and viewed as per the 
agreement between a publisher selling advertising and an advertiser purchasing advertising. While 
it may theoretically be possible to advertise online without processing any personal data beyond an 
IP address for transfer of ad files across the internet, such advertising would have virtually no value 


2 https://ec.europa.eu/commission/sites/beta-political/files/gk special _report- 
european media sovereignty.pdf, p. 37. 


3 https://datadrivenadvertising.eu/wp-content/uploads/2017/09/BehaviouralTargeting FINAL.pdf, p. 4. 
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as a result of not being behaviourally or contextually targeted, frequency capped, and measured, 
and is therefore not a realistic alternative. 


The EDPB acknowledges that personalisation of content may constitute an expected element of 
certain online services (paragraph 54). As corroborated by the report and research referenced in the 
third paragraph of this section, advertising is recognised as an integral element of the media, which 
implies that users will expect to see advertising in various outlets. The same principle will apply to 
the expectation of personalised advertising in digital media, which should inform permissibility of 
processing for online behavioural advertising under Article 6(1)(b). 


Section 3.4, Processing for personalisation of content 


We welcome the indication in the Guidelines that Article 6(1)(b) may be considered to be a suitable 
legal basis for content personalisation, on the basis that such personalisation may constitute an 
expected element of online services. However, we note that the guidance provided is vague and 
susceptible of different interpretations, and in places contradictory. For example, whether Article 
6(1)(b) is an available legal basis will depend on the nature of the service provided, the expectations 
of an “average” user, and how the service in question is promoted (paragraph 54). A further criterion 
is whether the service can be provided without personalisation, which seems incoherent with the 
lower standard of whether or not the user is likely to expect it that is evoked earlier in the same 
paragraph. Finally, for reasons that are not explained, if content personalisation is done for the 
purpose of increasing user engagement (which may in practice be the same as increasing user 
enjoyment and interest), then Article 6(1)(b) is not an available legal basis. The examples given on 
p. 14 increase the impression of a standard being applied arbitrarily. 


Data controllers are advised in this section, as in others, to “consider an alternative lawful basis” to 
6(1)(b) if the conditions for its use appear not to be met. Against this context, it is important to bear 
in mind that, at least in relation to consent, previous WP29 and EDPB guidance is equally, if not more, 
constraining. Perhaps as noted above, the aim is to drive the industry toward the use of “explicit 
consent” for the data processing for ad personalisation and content personalisation that these 
Guidelines would seem to place outside of scope of Article 6(1)(b). 


Brussels, 24 May 2019 


